Keychain-busting zero-day disclosed hours before release of macOS High Sierra

David Bisson

Keychain-busting zero-day disclosed hours before release of macOS High Sierra

Keychain-busting zero-day disclosed hours before release of macOS High Sierra

A security researcher has disclosed a password exfiltration zero-day that affects macOS version 10.13 (aka “High Sierra”) and earlier versions of the operating system.

On 25 September, Synack’s director of research Patrick Wardle tweeted out a video of the zero day in action on a Mac virtual machine running High Sierra.

In the video, an app installs while a theoretical attacker running the Netcat network utility waits on a remote server.

The hypothetical malicious hacker follows up successful installation of the app by clicking an “exfil keychain” button. In doing so, they execute a script that exploits a zero-day vulnerability affecting the iCloud Keychain, an Apple feature which stores things like passwords and credit card credentials. The script subsequently steals everything stored in Keychain and uploads it to the server.

Wardle exploited the vulnerability by developing a third-party app that a user could theoretically download off a third-party website. In response to that attack vector, the folks at Apple would like to remind users to follow best security practices. As quoted in a statement provided to Ars Technica:

“macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.”

A good reminder. But not enough for Apple to get off scot-free.

On the contrary, Wardle reported this zero-day vulnerability to Apple in early September, but the tech giant failed to patch it prior to High Sierra’s public release on 25 September. This failure to protect users has left the researcher with a bitter taste in his mouth. As quoted by ZDNet:

“As a passionate Mac user, I’m continually disappointed in the security of macOS. I don’t mean that to be taken personally by anybody at Apple – but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I’m sure sophisticated attackers have similar capabilities.”

“Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable.”

Going forward, Apple would be wise to follow Wardle’s advice and expand its current iOS-exclusive bug bounty program to also cover macOS.

We can also only hope that publicity surrounding Wardle’s exploit pressures Apple to release a patch for this bug and for another zero-day flaw disclosed by Wardle in early September. And soon!

David Bisson David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One Reply to “Keychain-busting zero-day disclosed hours before release of macOS High Sierra”

  1. I used to think Apple was losing its way…forgetting its roots. But I don't think that any more. Now I know it for certain.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay informed!

Join thousands of others by signing-up for the free “GCHQ” newsletter, containing the latest news and tips from security expert Graham Cluley.



Yes, I would like to subscribe to email updates from Graham Cluley. I know it’s easy to unsubscribe if I ever change my mind.